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What are we talking about 
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A mobile network operator Core Network 

Network passive capture showing Global Titles 
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Mobile Operators 
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• Conveys the majority of voice communications 
worldwide 

• Conveys our data 

• Conveys growing M2M traffic 

• Emergency systems notifications uses it 


=> We now rely on it and we have some security 
expectations 
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Mobile Operators and governance 


In Europe 


* * 

* * 

* 

enisa Technical Guideline for Minimum Security Measures 

European Network 
■k and Information 

Guidance on the security measures Article 13a 


2.2 Security and integrity 

Paragraphs 1 and 2 of Article 13a contain two different requirements: 

• Paragraph 1 requires Telcos to "take appropriate technical and organisational 
measures to appropriately manage the risks posed to security of networks and 
services", and to take measures “to prevent and minimise the impact of security 
incidents on users and interconnected networks". 

• Paragraph 2 requires Telcos to "take all appropriate steps to guarantee integrity of 
their networks, and thus ensure the continuity of supply of services". 


NATO Parliamentary Assembly 


K&l 

I European 
Icommission 


In order to facilitate improvements in the protection of 
ECIs, common methodologies may be developed for the 
identification and classification of risks, threats and 
vulnerabilities to infrastructure assets. 


] (14) The efficient identification of risks, threats and vulner¬ 
abilities in the particular sectors requires communication 
both between owners/operators of ECIs and the Member 
States, and between the Member States and the 
Commission. Each Member State should collect infor¬ 
mation concerning ECIs located within its territory. The 
Commission should receive generic information from the 
Member States concerning risks, threats and vulner¬ 
abilities in sectors where ECIs were identified, including 
where relevant information on possible improvements in 
the ECIs and cross-sector dependencies, which could be 
the basis for the development of specific proposals by the 
Commission on improving the protection of ECIs. where 
necessary. 


HOME ABC 

)UT US OUR WORK DOCUMENTS NEWS AND MEDIA 

► Home ► DOCUMENTS » Committee Re 
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ports > 2007 Annual Session » 162 CDS 07 E rev 1 - THE PROTECTION OF CRITICAL INFRASTRUCTURES 

HE PROTECTION OF CRITICAL INFRASTRUCTURES 
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Mobile Operators and governance 

• In France 


DEFENSE ET SECURITE NATIONALE - 2013 


■ Assurer la continuity des fonctions essentielles 

L’Etat met en Qeuvre [depui^^006l une politique de securite des activites 
d' i mportancevita^qui^appliqueadouzesecteursd^activite^etviseayvaluer 

^^hiej^rchiseiM^sHs^ueseMe^nnenaces^iji^^lab^i^Ke^nniesure^ourj^ 
JPett^oIitique^u^pos^umjrTeassoaatior^tmit^e^peSeu^ 
sera renovee afin de mieux prendre en compte I'ensemble des risques et des 
menaces et d'assure r la continuity des fonctions essentielles. Cette renovation 
viser^galement un^ensibjlisatior^ccnj^^ensembl^esacteu^^ublic^^ 
^^^^insi qu'un^^^^^^^^^^^^T^^^^^^jDanscett^e^pective" 
seront conduites des actions d'education, de formation et de communication 
vers des publics cibles. 


Lets check the reality ... 
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The Witness : An HLR/HSS 
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HLR Front End 
HSS Front End 


Provisioning DSA 
Routing DSA 

Install Server 
Admin 

Provisioning Gateway 


Typical HLR/HSS in use in operator Core Network 
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HLR/HSS in Mobile Core Network 


A mobile network operator Core Network 

Network passive capture showing Global Titles 
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HLR/HSS in Mobile Core Network 


Telecom network architecture 
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HLR/HSS in Mobile Core Network 


HLR / HSS Function in the Core Network 


Access 


BTS 


BTS 


NodeB 


eNodeB 



iCore 


UMS C MSC VLR 



Services 


PSTN / 
PLMN 


Internet 


© Tecore, Inc. • Tec re Networks Product Portfolio 


Application 

Services 


Hacking Telco equipment: The HLR/HSS - Laurent Ghigonis - PI Security 


2014, Hackito Ergo Sum - Security Conference 










































@ P1 Security 

Priority One Security 

HLR/HSS in Mobile Core Network 

• HLR is used in all 2G Operator Network 

• HSS is used in all 3G/4G Operator Network 

• Stores customer data 

— Subscriber identifier (I MSI) 

— Subscriber encryption keys 
- Subscriber approximate location 
- Subscriber SIM plan options 

• Critical to the operator 
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HLR/HSS in Mobile Core Network 



HLR/HSS receiving subscriber location update 
from the operator SS7/Diameter signaling links 
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Lets make it talk ... 
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Plan 
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HLR/HSS Robustness assessment 

• Virtualization 

— Virtualization and instrumentation 

• System Analysis 

— Localroot, Framework complexity 

• Network Fuzzing 

- SS7 Protocols 

• Binaries Reverse 

— More vulns 
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HLR/HSS Virtualization 

No, it's not ATCA / NFV 
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An HLR/HSS is an ecosystem 
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An HLR/HSS is an ecosystem 

• HLR + HSS Front-end 

• HLR Administration server 

• Application/Database routing servers 

• HLR Backend/Database (multiple) 

• HSM (Hardware Security Module) for keys 
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HLR/HSS is never alone 


HLR/HSS Redundancy 
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Where to start 
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• Most exposed from the outside 
=> HLR/HSS Front-end 

— Receives SS7/Diameter traffic 

• Telecom network stacks 

- Receives provisioning requests 

— Connected to the HSM 
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Where to start 
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v.yayay'y 


HLR Front End 
HSS Front End 


Provisioning DSA 
Routing DSA 

Install Server 
Admin 

Provisioning Gateway 


Typical HLR/HSS in use in operator Core Network 
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Virtualization of HLR/HSS 

Frontend 
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Original Equipment Manufacturer 

• Specs of the real equipment 
- i386 / x64 / Sparc 
- Solaris / CentOS 
- 32 GB of RAM 
- CPU 16 Cores 
— TB hard drive + External SAN 
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Qemu/KVM 
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• Faster than VirtualBox 

• More flexible 

• Tweak code to add more network interfaces 

• VDE Switch for networking 
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Qemu/KVM 
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qemu-system-x86_64 \ 

-machine type=pc,accel=kvm:teg -pidfile ./myhlr.pid \ 

-m 7.2g -smp 4 -drive file=/dev/mapper/lvm-vm--myhlr,cache=none \ 

-vne 127.0.0.1:2,password,tls,lossy -display curses -rtc base=localtime,driftfix=slew \ 

-net vde,vlan=l,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=l,macaddr=52:54:00:00:10:01 \ 

-net vde,vlan=2,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=2,macaddr=52:54:00:00:10:02 \ 

-net vde,vlan=3,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=3,macaddr=52:54:00:00:10:02 \ 

-net vde,vlan=4, sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=4,macaddr=52:54:00:00:10:02 \ 

-net vde,vlan=5,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=5,macaddr=52:54:00:00:10:02 \ 

-net vde,vlan=6,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=6,macaddr=52:54:00:00:10:02 \ 

-net vde,vlan=7,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=7,macaddr=52:54:00:00:10:02 \ 

-net vde,vlan=8,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=8,macaddr=52:54:00:00:10:02 \ 

-net vde,vlan=9,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=9,macaddr=52:54:00:00:10:02 \ 

-net vde,vlan=10,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=10,macaddr=52:54:00:00:10:02 \ 

-net vde,vlan=l1,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=ll,macaddr=52:54:00:00:10:02 \ 

-net vde,vlan=12,sock=/home/vm-kvm/myhlr/vde-myhlr.ctl -net nic,vlan=12,macaddr=52:54:00:00:10:02 

• Physical partition for disk 

- Do not use disk file on host btrfs 

• super slow 

• ext4 is ok 

- http://www.linux-kvm.org/page/Tuning_KVM 

• Curses output 

• Improvements: serial terminal 
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Qemu/KVM 
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• Solaris 10 

— Qemu/KVM ok for x64 

- Fails for SPARC 

• Stock kernel 

—/kernel 

— /usr/kernel 

• Custom kernel modules 

— For Telecom Signaling [Signalware] 

• Uses grub 

• Failsafe mode 
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Inside the machine 
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• ZFS filesystem 

• Solaris 10 

• Everything is installed via packages 

• Multiple Oracle databases 

— Even on HLR/HSS Front-end only 

• A lot of Middleware framework to start the 
actual network stacks / applications 

• Telco stacks: based on Ulticom Signalware 

• The OS expects its precious network cards 
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System Analysis 
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The filesystem 

• ZFS = Filesystem + Volume manager 
• ZFS pool (often mirrored) 

- ZFS root pool 

• 100-200GB usually enough 
• Prepare free space for system/processes dump 

- ZFS Dump pool 

• Should be more than size of your RAM 

- ZFS SWAP pool 

• Should be more that size of your RAM 
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The filesystem 

• ZFS offers good resilience against data corruption, 
and is very picky when there is too much 
corruption 

— You can't recover when filesystem is too much broken 
- You can try 

$ zdb -e -p /dev/dsk/c0t3d0p0 -F -X -AAA -dd rpool 1 
$ zpool import -f -F -X 19485729304958623456 mypool 

$ zpool import -o readonly=on -o autoreplace=on -o 
failmode-continue -m -N -f -F -X 19485729304958623456 
mypool 


• If it fails 

— Code your own tool by modifying ZOL 

http://zfsonlinux.org/ 
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advdata/ 

autoinstmnt/ 

bin@ 


boot/ 
cust_data/ 
dump® 

environment.txt* 
etc/ 


export/ 

false/ 


global@ 
home/ 
installmnt/ 
kernel/ 


T spAcc@ 
TspAccBackup@ 
TspCore@ 
tspinst/ 


Filesystem / 


Grub/platform + failsafe 

Home + Applications data + Telco specific apps 



Applications data 
Kernel 


Telco specific apps 


- Crashdumps from Telco specific apps 


TspTicketsf 
updateSW/, 
usr/ 
var / 
vol/ 
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Some packages installed 
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application SMAWrtp 

Telecommunication Service Platform (TSP) Base Package 

application OMNI 

Signalware System 

application S6U-4 

Signalware System 

application OMNI-C7X 

Signalware C7 Extensions 

application INTPahacu 
AC Utimaco HSM 
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Low hanging fruits 
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• SUID executables 

- SUID Total: 162 (155 binaries, 7 scripts) 

- SUID Root: 142 (137 binaries, 5 scripts) 


• Signalware 
Boot process 
"becoming root" 
by Design 












non: High uaternark 1024 Lou uaternark 768 



Write Queue Oxffffffffa55dab78 

Feb 27 04:14:39 non: High uaternark 1024 Lou uaternark 768 (in Kbytes) 

Read Queue Oxffffffffa55daa80 

Feb 27 04:14:40 susys: NOTICE: (c7tcap 0 Q Ox ) Configuration: 

Feb 27 04:14:40 on/off gprs : OFF 

Feb 27 04:14:40 backup length : 0 

Beconing root.. . 

Startincr HIP ... already running. 

Starting RtpNode 

Setting NLSPATH=/export/hone/rtp99/99/data/zL/zN • cat:/export/hone/rtp99/89/cust_ 

data/zL/zN.cat:/export/hone/onni/loca1e/eng 1ish/zN-cat 

About to exec ... /opt/SNAU/SNAUrtp/bin/RtpNn 

NH: nulticast disabled 

RtpNn processes started 

NM: LocalMaxProcesses=1024 (1024) ConNaxA1iases=2048 ConNaxMiniQueues=2048 (Genii 
= 120000 ) 

NM: ConNaxA1iasNenberEntries=16384 ConNaxA1iasHenberNanes=8192 

NN: naxDirectConnections = 16 directConnectionSendTineout=2000 directConnTosOa1=14 
4 

NN: nutexNode=2 
RtpNode is coning up 

Setting NLSPATH=/export/hone/rtp99/99/data/zL/zN . cat:/export/hone/rtp99/S9/cust_ 
data/zL/zN .cat:/export/hone/onni/loca1e/eng 1ish/zN-cat 
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Local roots 
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• Of course, we often find multiple local roots 

• Some are really too easy (one command): 


Number of unsuccessful login since last successful login is 0 
Last login: s from 

$ id 

uid= (rtp99) gid= (dba) 

5 

bash-3.2# id 

uid=0(root) gid=1521(dba) 
bash-3.2# | 
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Example of Telco network stack: 
NSN TSP / RTP + Ulticom Signalware 

• TSP + RTP framework are found on NSN NT- 
HLR 

— Found in many European and Worldwide 
operators 

— Very similar to Apertio OneHLR 

• TSP: Telco Server Platform (Ericsson) / Telco 
Service Platform (NSN, others, generic name) 

• RTP: Resilient Telco Platform (NSN) 
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Example of Telco network stack: 
NSN TSP / RTP + Ulticom Signalware 


• SS7 Protocol handling 



TSP Framework [NSN] 



Handles TCAP and MAP services 



[Java executables, uses C libraries] 



Signalware stack [Ulticom] 

Handles SCTP ; M3UA, SCCP, TCAP 
[kernel modules and userland binaries] 




r 

RTP Framework [NSN] 



Starts all Telco specific applications 


L. _ 

[Shell scripts and binaries] 

_^ 
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Network Fuzzing 
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Fuzzing SS7: M3UA 

• Example: Flooding badly handled 


- Leads to alerts flooding in OSS 

- Leads to loss of previous alerts ! 


- P1VID#799 



Description 

lntpLogProcGroup_257:Log type OAM Security Management Log has reached the maximum fill level (100 percent). Data is 
lost! 


Long Text 

Log messages ofthe Advantage system are stored In a local repository 
until they are collected by the Log Management Application ofthe 
Advantage Commander. There is a log type specific maximum number of 
messages being stored in the repository. 

The repository now is filled up. The oldest log messages are being deleted 
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Fuzzing SS7: SCCP 

• Example result: 1 specific MSU repeated 2 times 
causes DoS of all Signaling Interconnections 

— HLR is down during 2 minutes 


core 'core.xxx' of 15477: /export/home/xxx 

01 msu processing () 

02 msg distribution () 

03 main () 

04 _start () 

- If the attack is repeated, the DoS is during 

the attack 

- 


So long for the critical infrastructure ... 

2014, Hackito Ergo Sum - Security Conference 
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Fuzzing SS7: SCCP 
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File Edit View Go Capture Analyze Statistics Telephony Tools Internals Help 



® ■ 

A X C Q < 

> * ¥ A 

m □ 

12J IsJ 12J EH 

S B ! 

- !(sctp.chunk_type 

== 4) && !(sctp.chunk_type == 5) ▼ 

Expression... Clear 

Apply Save 



Time 

Source 

Destination 

Prt 

Info 



X 0 


2014-03- 

2014-03- 

2014-03- 

2014-03- 

2014-03- 


SCTP SACK 
SCCP Unknown 

SCTP DAT A (retransmission) 
SCTP SACK 
SCTP SACK 


SCCP Unknown 





2014-03- 

2014-03- 

2014-03- 





SCTPDATA (retransmission) 

SCTP SACK 

SCTP SACK 



2014-03- 

2014-03- 




SCTP ABORT 

SCTP ABORT 

r 


2014-03- 

2014-03- 





SCTPINIT 

SCTPINIT 



2014-03- 

2014-03- 





SCTP ABORT 

_ SCTP ABORT 



2014-03- 

2014-03- 



SCTPINIT 

SCTP INIT 




2014-03- 

2014-03- 


2014-03- 
2014-03-, 


►Frame bytes on wire ( bits), bytes captured ( bits) 

► Linux cooked capture 
►Internet Protocol Version 4, Src: 

►Stream Control Transmission Protocol, Src Port: m3ua (2905), Dst Port: m3ua (2905) 

► WTP 3 User Adaptation Layer 


SCTP ABORT 
SCTP ABORT 


SCTPI NIT 
SCTPINIT 


▼ Signalling Connection Control Part 


0000 

0010 

0020 

0030 

0040 

0050 

0060 

0070 






) ftf Signalling Connection Control Part (seep), 25 bytes 


Packets: 24967 • Displayed: 1... Profile: Default 
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Fuzzing SS7: MAP 
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• Example results: 1 specific MSU causes MAP 
process crashes 

— 5 MSU/second makes HLR totally unresponsive to 
any other MAP Query 


- 1 MSU/second makes HLR totally drop 50% of 
other MAP Queries 


- P1VID#772 
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Fuzzing Diameter 

• Process Crash with 1 specific manually crafted MSU 


Application logs: 

Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: 
Service could not be processed correctly, 

vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: 

S 6a-xxxxxxxxx 

Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: 
Service could not be processed correctly, 

vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: 

S 6a-xxxxxxxxx 

UTC Tue Sep 3 01:20:44 2013 Services_Esm_Log_Message: vc_Priority=LOG_ERR, 
vc_MessageInformation=ESM: Service could not be processed correctly, 

vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: 

S 6a-xxxxxxxxx 

Services_Esm_Log_Message: vc_Priority=LOG_ERR, vc_MessageInformation=ESM: 
Service could not be processed correctly, 

vc_AdditionalInformation=Reason: xxxxxxxxx data unavailable, Message Type: 

S 6a-xxxxxxxxx 

Behind that, process core dumps are created... 

P1VID#718 


Hacking Telco equipment: The HLR/HSS - Laurent Ghigonis - PI Security 


2014, Hackito Ergo Sum - Security Conference 



@ P1 Security 

Priority One Security 


Does redundancy saves you ? 


• No ! 

• Same N front-ends == same crashes 

• Messages just needs to be sent N times 
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@ P1 Security 

Priority One Security 


Binaries reverse 
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Often, too much help... 


@ P1 Security 

Priority One Security 


• Binaries not stripped 

- Debug symbols / function names / ... available 

• No anti-debug mechanism 

• Libraries headers on production machines 

— Great help in understanding the internals 

• Large documentation about internals on 
production machines 

— Great help in understanding the internals 

• Updated binaries and previous binaries both on 
production machines 

— Binary diff to track issues fixed 
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Signalware Kernel modules 


PI Security 

Priority One Security 


Example: Parsing of SCCP header 


Search View Debugger Options Windows Help 



I 


II INI 


| A\ Structures 


| '' Imports 


(S Exports D 


i udt chkptrl: 


; CODE XREF: scic ualid+ 


nou 

rdx, quot'd ptr [sccp in+sccpin .seep nsgtype] 


nouzx 

rax, byte ptr [rdx+2] 


lea 

rsi, [rax+rdx+2] 


nou 

rex, seep in 


nou 

rdx, r13 


nou 

rdi, r14 


call 

scic chk ofF ; rsi = pointer to check 



; rdi = naxlinit 
; return eax: 1=ok 0=bad 


nou 

r15d, eax 


test 

eax, eax 


jnz 

short ua udt chkptr2 


nou 

duord ptr [seep in+sccpin.errcode] , SC INUALID OFFSETS 


jnp 

return_r15d 

i udt chkptr2: 


; CODE XREF: scic ualid* 


nou 

rdx, quot'd ptr [seep in+sccpin .seep nsgtype] 


nouzx 

rax, byte ptr [rdx+3] 


lea 

rsi, [rax+rdx+3] 


nou 

rex, seep in 


nou 

i-dx, r13 


nou 

rdi, r14 


call 

scic chk off ; rsi = pointer to check 



; rdi = nax_linit 
; return eax: 1=ok 0=bad 


nou 

r15d, eax 


test 

eax, eax 


jnz 

short ua udt chkclass 


nou 

duord ptr [seep in+sccpin.errcode] , SC INUALID OFFSETS 


jnp 

return_r15d 




ua udt chkclass: 


; CODE XREF: scic_ualid+ 

rax, quot'd ptr [sccpin+sccpin .sccpnsgtype] 
eax, byte ptr [rax+1] 
eax, 0Fh 
eax, 1 

short ua_udt_chknsghandling 

r15d, 0 ; return 0 iF class > 1 

duord ptr [sccpin+sccpin .errcode] , SC_INUALID_CLASS 

return r15d 


!<■ I tUb 

Down Disk: 7GB 
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@ P1 Security 

Priority One Security 


Signalware Kernel modules 

• Kernel modules signaling parsing is robust 

• IPC to communicate with userland binaries 

• Complexity leads to other type of errors 

— Logic errors 

— Race conditions 

— Slow handling of some types of MSUs 
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PI Security 

Priority One Security 


Signalware userland binaries 


• Parsing less robust (less tested) 

• Example logic error due to IPC / Framework 
complexity: 


lea 

rsi. 


; " %s: 

receiued %s.\n" 


mou 

edi, 


; int 



mou 

eax, 

0 




call 

_tr_ 

exec 




mou 

rax, 

cs:p_sccp_ 




mou 

rax, 

[rax] 




mouzx 

r13, 

[rax+ 


] ; CRASH ??? *p_sccp 

= NULL 


Null pointer dereference 
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So verdict ? 


@ P1 Security 

Priority One Security 
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So verdict ? 


@ P1 Security 

Priority One Security 


• Misconceptions! 

— No crashes on a Critical Core Network Element 

• FAIL 

- Robustness against network attacks 

• FAIL 

• Redundancy != Robust, attack kills Front-end one by one 

— Modern 

• Depends, but from what we see there is much room for 
improvement 
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/p^j PI Security 

Priority One Security 

Mobile Operators and governance 

* * 

* * 

+ « 

* enisa Technical Guideline for Minimum Security Measures 

DEFENSE ET SECURITE NATIONALE - 2013 

■ Assurer la continuity des fonctions essentielles 

-JT ♦ and Information 

Guidance on the security measures Article 13a 

2.2 Security and integrity 

Paragraphs 1 and 2 of Article 13a contain two different requirements: 

• Paragraph 1 requires Telcos to "take appropriate technical and organisational 
measures to appropriately manage the risks posed to security of networks and 
services", and to take measures "to prevent and minimise the impact of security 
incidents on users and interconnected networks". 

• Paragraph 2 requires Telcos to "take all appropriate steps to guarantee integrity of 

LEtat met en oeuvreldepuis 2006|une politique de secunte des activites 
d'importance vitale, aui s'aooliaue a douze secteurs d'activite 14 et vise a evaluer 

et ahierarchiser les risques et les menaces, puis a elaborer les mesures pour y 

^Cett^Jontmue. aui repose sur une association etroite des operateurs. 

sera renovee afin de mieux prendre en compte I'ensemble des risques et des 
menaces et d'assurer la continuity des fonctions essentielles. Cette renovation 
visera eqalement unelsensibilisation accrue de I'ensemble des acteurs publics et 

privesf insi qu'undmeilleure information des citovensIDans cette perspective, 
seront conduites des actions d education, de formation et de communication 
vers des publics cibles. 


their networks, and thus ensure the continuity of supply of services". 


• Reality on Threats analysis: Maybe 

• Reality of Telco equipment security: Very bad 

• Public information: Very bad 

• Telco private sector information: Didn't see impact 
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Consequences 


@ P1 Security 

Priority One Security 


• Mobile Network crashes for unknown publicly 
available reason 

• Spying on phone calls / customer activities from a 
single point (Core Network) is relatively easy 

• Fraud 


Hacking Telco equipment: The HLR/HSS - Laurent Ghigonis - PI Security 


2014, Hackito Ergo Sum - Security Conference 



@ P1 Security 

Priority One Security 


Recommendations 

• Secure SDLC (Secure Software Development Life Cycle) 

- Design 

— Implementation 

- Testing 

• Especially for vendors custom stacks/services 
TCAP/MAP parsing bugs leading to overflows,... 

• Vendors security audits (HLR isolated) 

- System audit 
— Network audit 

• Testbed audits (HLR in environment) 

- System audit 
— Network audit 

- Before deploying to production 
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@ P1 Security 

Priority One Security 

Recommendations: securing the OS 

• Use Solaris Zones to split services: 

• Use Solaris Audit mechanism: 

• Authenticate the hardware 

— To prevent emulation 

• Use the latest OS protections against exploitation 
— Solaris 11 has ASLR 
— Use custom Linux kernel 

• Use a firewall by default on the machine itself 
• • • 
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Recommendations: OSS 


@ P1 Security 

Priority One Security 


• Make it faster! 

- People should be able to use it to react when 
under attack 

— E.g. NSN @vantage commander 

• Need access to all low-level network traffic for 
forensics 
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@ P1 Security 

Priority One Security 

Recommendations: For the operators 

• Push the vendors to fix the bugs 

• Some of the attacks we discovered can be filtered 

- Operators do not have to wait for bugs to be fixed 

— Filter at perimeter boundaries 
(typically STP / Router) 

— Depends on STP / Router models and security 
"features" 

• Sometime filtering options are charged by vendor 

• It is possible to filter also at the SCCP provider 
level 
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To be continued 


@ P1 Security 

Priority One Security 


• Telecom Network Elements security is low 

— We tested multiple Network Element 
types/models, from different vendors 

• Vendors, Governments and security 
researchers have work to do 

• Vulnerability disclosure in security critical 
infrastructure is scarce 

- Dangerous ? 

— Not if there is collaboration 
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@ P1 Security 

Priority One Security 

Other aspects of Telecom Security 

• We talked here about equipment security 
— It's a work in progress, and only HLR/HSS 
— Mainly Network Equipment Vendor responsibility 

• Also consider 

— Other Network Elements security 

— GRX / IPX / SCCP Providers security 

- Deployment security (passwords policies, 
filtering...). Operator responsability 

— Telecom Network Fraud (SS7 spoofing, Call/SMS 
Spoofing,...), Operator responsability 
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That's it, please react. 


@ P1 Security 

Priority One Security 


Thank you 

laurent@plsec.com 

http://www.plsec.com 
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